Move auditing group #11789
Move auditing group #11789
Conversation
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
jan-cerny
force-pushed
the
move_auditing
branch
from
d1add98
to
41bd216
Compare
|
I have rebased this PR on the top of the latest upstream master branch. |
jan-cerny
force-pushed
the
move_auditing
branch
from
41bd216
to
3b6903e
Compare
|
I have rebased this PR on the top of the latest upstream master branch. again |
|
/retest |
jan-cerny
force-pushed
the
move_auditing
branch
from
3b6903e
to
24148c2
Compare
|
I have rebased this PR on the top of the latest upstream master branch. |
Move auditing group so that rules related to auditing are always the last rules in the built XCCDF benchmark. This change should prevent situations when a remediation of other rules from other groups cause a need for changes in audit configuration after audit has already been remediated. It's a problem mainly for Ansible Playbooks because they are supposed to be run only once (unlike Bash remediations and Bash scripts). This usually happens for the rule audit_rules_privileged_commands which conflicts with package_sssd_installed. Currently, package_sssd_installed installs some SUID files which need to be add to audit rules auditing the privileged commands. But with the current layout, the remediation for the package_sssd_installed is executed later than remediation for audit_rules_privileged_commands which means that audit_rules_privileged_commands starts to fail after sssd is installed. Unfortunately, moving just a single rule would break the logical structure and would make the text guides chaotic so we need to move the whole auditing group. Fixes: ComplianceAsCode#11752
jan-cerny
force-pushed
the
move_auditing
branch
from
24148c2
to
c6c3dc1
Compare
|
Code Climate has analyzed commit c6c3dc1 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 0.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.2% (0.0% change). View more on Code Climate. |
|
/packit retest-failed |
Move auditing group so that rules related to auditing are always the last rules in the built XCCDF benchmark.
This change should prevent situations when a remediation of other rules from other groups cause a need for changes in audit configuration after audit has already been remediated. It's a problem mainly for Ansible Playbooks because they are supposed to be run only once (unlike Bash remediations and Bash scripts).
This usually happens for the rule audit_rules_privileged_commands which conflicts with package_sssd_installed. Currently, package_sssd_installed installs some SUID files which need to be add to audit rules auditing the privileged commands. But with the current layout, the remediation for the package_sssd_installed is executed later than remediation for audit_rules_privileged_commands which means that
audit_rules_privileged_commands starts to fail after sssd is installed.
Unfortunately, moving just a single rule would break the logical structure and would make the text guides chaotic so we need to move the whole auditing group.
Fixes: #11752